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A METHOD OF USING TRANSIENT FAULTS 
TO VERIFY THE SECURITY OF A CRYPTOSYSTEM 

BACKGROUND OF THE INVENTION 
Field of the Invention 

The present invention relates to cryptanalysis and, more particularly, 
relates to methods for "cracking", or deciphering, cryptosystems, by analyzing 
one or more erroneous outputs to infer information ordinarily difficult or 
impossible for a party not privy to secret information. Knowing how a 
cryptosystem may be cracked suggests methods for avoiding attacks on the 
cryptosystem, thus further improving the integrity of the cryptosystem. A 
security expert or cryptosystem designer may use the inventive methods in the 
design of cryptography devices to verify that an existing or proposed device is 
impervious to such attacks. 

Discussion of Related Art 

Cryptography has become essential to the acceptance of electronic 
commerce and sensitive electronic communications. For example, secure digital 
signatures and verification methods provide high assurance that a party is who 
it represents itself to be. This assurance is vital to the general acceptance of, 
for example, commerce over the Internet, the use of electronic money, cellular 
communications, and remote computer login procedures. Typically, certain 
well-known cryptographic methods are used to encrypt information in a manner 
that is very difficult to decrypt without certain secret information, thus making 




these signatures and verifications secure. One type of cryptographic method 
which is commonly used is public key cryptography. 
1. Public Key Cryptography 
In a typical public key cryptographic system, each party / has a public key 
5 (or exponent) P, and a secret key (or exponent) S,. The public key P, is known 
to everyone, but the secret key S, is known only to party /. A plain text 
message m to user / is encrypted to form the cipher text message x using a 
public operation P which makes use of the public key P, known to everyone, 
i.e., x = P(a77,P,). The cipher text message x is decrypted using a secret 
10 operation S which makes use of the secret key S,, i.e., m = S(x,S,). Only party 
/ who has the secret key S x can perform the secret operation to decrypt the 
encrypted message x to obtain clear text message m. 

Public key cryptographic techniques may be used for authentication. 
Authentication is a (theoretically) fool-proof technique for a party to verify that 
15 a party contacting it is the party is asserts to be. For example, a confidential 
network may require that a party authenticate itself before gaining access to 
the network. 

If it is true that P(S(x,S,),P t ) = x (recall the S(x,S,)=m, resulting in 
P{m,P t ) = x), then the owner of the corresponding keys P,, S, could sign message 
20 m by producing E=S(m,S t ), where £ indicates the signature. The verifier, given 
x and E, will verify x = P{E,P,). One type of a cryptography system could be 
used for verification as follows: challenge the party claiming to be / with 
message x and ask the party to sign the message x using his secret key S,-, then 
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verify the signature using P,. More efficient and secure authentication protocols 
may be used, such as the Fiat-Shamir and Schnorr protocols discussed below. 

Fig. 1A is a block diagram of a typical cryptography device 100. The 
device 100 has a processor 102 including one or more CPUs 102, a main 
5 memory 104, a disk memory 106, an input/output device 108, and a network 
interface 110. The devices 102-110 are connected to a bus 120 which 
transfers data, i.e., instructions and information between each of these devices 
102-110. 

Fig. 1B illustrates a network 1 50 over which cryptography devices 100 

_ 10 may communicate. Two or more cryptography devices 100, 100' may be 

fi connected to a communications network 1 52, such as a wide area network; 

gi which may be the Internet, a telephone network, or leased lines; or a local area 

y± network. Each device 100 may include a modem 154 or other network 

^ communication device to send encrypted messages over the communications 

^ 15 network 1 52. A cryptography device 1 00 may be a gateway to a sub-network 

~ 1 56. That is, the device 1 00 may be an interface between a wide area network 

~ 1 52 and a local area (sub) network 1 56. 

An example of a public key cryptographic technique which may be 

performed by the device 100 is the well known RSA technique. In accordance 

20 with this technique, a party / has stored in memory 1 04 or 1 06 its own public 

key (or exponent) e, and modulus N (where N is a product of two large prime 

numbers p,q) and a secret key in the form of an exponent s,. It has stored or 

K otherwise obtained the public key ^ of a party to which it wishes to send a 

A 

message. The party may have a plain text message m which it wishes to send 
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to party / without others knowing the content of m. The device 100 encrypts 

the message m to form x^rrf** mod N using processor 102 and perhaps 

A 

software stored in main memory 104. Party j's device can then decrypt x to 
obtain m by performing the operation /7? = X sy mod N. 

Another public key cryptographic technique is the Rabin modular square 
root. In this technique, the secret operation involves obtaining a modular 
square root and the public operation involves a modular squaring operation. 

Rabin's Signature Scheme is similar to the RSA signature system and 
relies on the difficulty of factoring for its security. As above, assume N-pq is 
a product of two large prime numbers p,q. To sign a document D, party i's 
device 100 first hashes D to a number D' between 1 and A/. The signer's 
device 100, which knows the secret factorization of the modulo N, computes 
the square root of D' (mod N) using the processor 102. Thus, the signature E 
is: 

E = V /D~ / (mod N) 

(1) 

Without knowing the factorization of N, computing the modular square root of 
a number is difficult. 

The Fiat-Shamir authentication scheme is a cryptosystem for a first party 
to authenticate its identity to another party. This is done as follows: party /'s 
cryptography device 1 00 and party j's cryptography device 1 00' (as seen in Fig. 
1B) agree on an /7-bit modulus N = pq, where p and q are each a large prime 
number. Party /'s secret keys are a set of invertible elements (i.e., bits) s 1r ...,s t 
(mod N) stored in the memory 104 or 106 of its cryptography device 100. 



Party /'s public key is the square of these invertible elements (bits) 
v y = s 1 2 ,...,v f = s t 2 (mod N). Party / authenticates itself to party / using the 
following protocol: 

1 . Party /'s cryptography device selects a random r, generates r 2 mod 
5 N, and transmits this value to party y's cryptography device. 

2. Party y's cryptography device selects a random subset S £ ( 1 , . . . , f) , 
and transmits the subset to party / via an I/O. 

3. Party /'s cryptography device computes y = jfi^*s$\ m °d N and 
transmits y to party y. 

10 4. Party y's device verifies party /'s identity by checking that y 2 = 

/ 2 n /€S \^ / (mod /V). 

The Schnorr authentication scheme is another cryptosystem for a first 
party to authentic its identity to a second party. The security of the Schnorr 
authentication scheme is based on the difficulty of computing discrete log 
15 modulo a prime. In Schnorr's authentication scheme, party / and party y agree 
on a prime number p and a generator g of Z* 9 where Z p * is group of integers 
modulo p and relatively prime to p. Party / chooses a secret integer s ; and 
publishes y, = g 87 mod p as party /'s public key. Party / authenticates itself to 
party j by engaging in the following protocol: 
20 1 . Party i's cryptography device selects a random integer r e [0,p) 

and sends z = cf mod p to party y's cryptography device via an I/O 
210. 
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2. Party y's cryptography device selects a random integer te 10, 71 
and sends t to party / via an I/O. Here, T<p is an upper bound 
chosen beforehand. 

3. Party /'s device sends u= r+fs mod p-1 to party y's device. 

4. Party y's device verifies that g" = zy x mod p. 
Cryptography schemes such as Schnorr have the property that if two 

distinct messages are signed using the same random element (e.g., r), then the 
secret key of the signer can be computed by anyone having the messages, the 
signatures, and public information such as the public key of the signer. 
2. Prior Art Difficulties Cracking Crvptosvstems 

Cracking the RSA public key cryptosystem, and several other 
cryptosystems, is difficult because it typically requires that the modulus be 
factored (or other operation of comparable complexity). This is particularly 
difficult. It takes thousands of hours of computing time to factor a 512 bit 
modulus. RSA currently uses a 512 bit modulus, but it is expected that this 
may be upgraded in the future to a 1 024 bit modulus. However, if the modulus 
may be determined without significant factoring, the computing time may be 
greatly reduced and the security of the cryptosystem compromised. 

In an article "Timing Attacks on Implementations of Diffie-Hellman, RSA, 
DSS, and Other Systems," Proc. of Crypto '96, P. Kocher proposes that a few 
bits of a modulus may be obtained by the amount of time certain operations 
took to be performed. This allowed the cryptosystem to be cracked without 
factoring. The drawbacks of this method are (1 ) it requires very precise timing 




of the length of time taken to perform certain calculations; and (2) it requires 
a large number of samples. 

3. Reasons For Cracking A Crvptosvstem 
The availability of electronic commerce and certain electronic 
5 communications depend on difficult-to-crack cryptosystems to prevent 
unauthorized access to the secured information. If, for example, an adversary 
obtains a party's secret key, the adversary could electronically forge the party's 
signature without the party's knowledge. As another example, the adversary 
could present itself to third parties as the party whose secret key was obtained. 
^ 10 Moreover, once obtained, the secret key may be duplicated and shared with 
jjj others. Thus, it is vitally important that the cryptosystem used to protect 

gi important information be difficult to crack. 

-0 

H- A threat model for cracking a cryptosystem is useful because it verifies 

O 

^ whether a cryptosystem or cryptography device is vulnerable to that attack. 

JS? 15 If so, the system or device is no longer considered to be secure. This is true 
P because in the cryptography community, the mere possibility of an attack on 

a cryptosystem is universally accepted as very serious. Security experts must 
assume that the cryptosystem is no longer safe from adversaries. Thus, a 
method for cracking cryptosystems is an exceptionally useful tool for security 
20 experts and cryptosystem designers testing existing cryptosystems and 
developing new cryptosystems. The cracking method may be applied to an 
existing or a proposed system to verify that the system is impervious to the 
attack. Thus, the cracking method may also be used to design cryptosystems 
impervious to the attack. 
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Therefore, it is an object of the present invention to provide a method for 

cracking the public key signature cryptosystems without factoring the modulus. 

It is another object of the present invention to provide a method for 

cracking cryptosystems -trstfKj-the Chinese Remainder Theorem. 

A 

5 It is yet a further object of the present invention to provide a method for 

cracking authentication cryptosystems. 

It is yet another object of the present invention to use transient errors in 
encrypted data to determine secret information. 

It is yet a further object of the present invention to provide methods for 
10 testing the security of a cryptosystem. 

It is a further object of the present invention to provide a method for 
providing a cryptosystem and/or cryptography device impervious to cracking 
due to transient hardware faults. 

15 SUMMARY OF THE INVENTION 

The present invention is directed to methods for using one or more faulty 
computations made by a cryptography device to infer secret information stored 
in the cryptography device. The inventive method is based on the well- 
accepted proposition that no computing system is perfectly fault free. In a 
20 preferred method, a security expert or cryptosystem designer may intentionally 
induce a tamper proof device or other cryptography device to generate a faulty 
computation by subjecting the device, such as a smart card, to physical stress. 
Such physical stress may be, for example, certain types of radiation, atypical 
voltage levels, or a higher clock rate than the device was designed to operate 
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at or accommodate. Cryptosystems and/or cryptography devices should 
preferably be impervious to the attacks described herein. If not, the system or 
device should desirably be modified. In some cases it may be desirable to 
discard the system. 

5 In certain cryptosystems, such as a signature scheme based on the well 

known Chinese Remainder Theorem, a single error of any type is sufficient to 
crack the system. In certain other cryptosystems, such as certain 
authentication schemes, repeated errors of a specific type are used to crack the 
system. The inventive methods are useful tools for security experts and 
10 cryptography experts when testing or developing a cryptosystem or 
if cryptography device. Thus, the inventive method may be used to provide 

{jlT cryptosystems and/or cryptography devices impervious to cracking due to 

y[ transient hardware faults. 

7 In a first embodiment of the present invention, the RSA Chinese 

yj 15 Remainder Theorem based signature scheme and Rabin's Signature scheme 

(both of which may separate into linear components) are cracked by comparing 
LJ a single erroneous signature on a message with a correct signature on the same 

message. In a second embodiment, these two schemes may be cracked with 
only a single erroneous signature if the content of the signed message is 
20 known. 

In a third embodiment, a certain type of fault called a register fault is 
used to crack the Fiat-Shamir and Schnorr authentication schemes. This is 
done by receiving a correct and a faulty value during an authentication process 
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to determine a secret value. Using this secret value, sets of data may be 
constructed which will reveal the other party's secret key. 

In a fourth embodiment, erroneous signatures of randomly selected 
messages are each used to obtain a portion of a secret exponent. When a 
sufficient number of bits are obtained, the remaining bits may be "guessed" to 
obtain the entire secret exponent. 

The inventive method is a creative use of a cryptography device's 
miscalculations. Because it is believed that all computers are prone to error, 
even cryptosystem servers stored in a secure environment may not be secure 
from these attacks. Thus, even such servers should be tested using the 
inventive method cracking cryptosystems. These attacks reveal an important 
finding: cryptography devices — from smart cards to network servers used by 
certification authorities which oversee the distribution of public key certificates - 
- should now not only conceal their inner circuitry (to avoid revealing its secret 
key), but must also be fault resistant, to avoid generating erroneous 
calculations. The present invention provides a method for designing and 
implementing cryptosystems and cryptography devices impervious to cracking 
due to transient hardware faults. 

BRIEF DESCRIPTION OF THE DRAWINGS 

The present invention is described with reference to the following figures: 
Fig. 1 A is a block diagram of a typical cryptography device; 
Fig. 1 B illustrates a communications network over which cryptography devices 
may communicate; 
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Fig. 2 is a block diagram of a typical tamper proof device, such as a smart card. 
Fig. 3 illustrates a first method according to the present invention; 
Fig. 4 illustrates a second method according to the present invention; 
Fig. 5 illustrates a third method according to the present invention; 
5 Figs. 6A and 6B are flow charts illustrating two conventional exponentiation 
functions; and 

Fig. 7 is a flow chart of an inventive method used with the methods of Figs. 6A 
and 6B. > 

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS 

The present invention is described in the following sections: 

I. Types of Faults which may occur which permit certain cryptosystems to 
be cracked are described with reference to Fig. 2. 

II. Cracking Cryptographic Signature Implementations that Use the Chinese 
Remainder Theorem is described with reference to Figs. 3 and 4, 
including discussion of the RSA Signature Scheme and the Chinese 
Remainder Theorem, Cracking the RSA Signature Scheme, and Cracking 
the Rabin Signature Scheme. 

III. Using Register Faults To Break Cryptosystems is described with 
reference to Figs. 5, 6A, 6B, and 7, including discussion of Using 
Register Faults to Attack the Fiat-Shamir Authentication Scheme, Using 
Register Faults to Crack Schnorr's Authentication Scheme, and Using 
Register Faults to Crack Other RSA Implementations. 




11 



IV. Providing Cryptosystems and Cryptography Devices which Resist 
Tampering Due to Hardware Faults is described. 

V. A Conclusion is provided. 

I. Types of Faults 

a. Overview of Faults 

Several types of faults may enable a cryptosystem to be cracked. These 
faults include transient hardware faults, latent faults, and induced faults. 

Cryptography devices, such as the device illustrated in Fig. 1 A, described 
above, are subject to random transient hardware faults. Random transient 
hardware faults may cause an erroneous output from the cryptography device. 
Referring to Fig. 1 A, a random transient hardware fault in the processor 1 02 or 
memory 104, 106 may cause the certification authority to generate on rare 
occasion a faulty certificate. If a faulty certificate is sent to a client, that client 
may be able to break a certification authority's system and generate fake 
certificates. 

A latent fault is a hardware or software bug which may be difficult to 
detect. Such bugs may occur in the design of the processor 102, or in the 
design of software stored in the main memory 104 or the disk memory 106. 
On rare occasions such bugs may cause a certification authority or other 
cryptography device to generate a faulty output. 

Induced faults may occur when a security expert or cryptosystem 
designer has physical access to a cryptography device. The security expert or 
cryptosystem designer may purposely induce hardware faults by, for example, 
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attacking a tamper proof device by deliberately causing it to malfunction. An 
induced fault may, for example, briefly alter a value stored in the main memory 
104 or the disk memory 106. Erroneous values computed by the device allow 
the security expert or cryptosystem designer to extract secret information 

5 stored in the cryptography device. 

The present invention generally assumes that any faults generated by the 
cryptography device are transient. That is, the faults only affect current data, 
but not subsequent data. A transient fault may be a bit stored in a register 
which spontaneously flips or a gate which spontaneously produces an incorrect 

10 value. In such instances, the hardware system is typically unaware that any 
change has taken place. The present invention also assumes that the 
probability of such faults is so small that only a small number of them ever 
occur during a single computation, 
b. Register Faults 

15 A certain type of fault - a register fault is used to crack certain public 

key authentication cryptosystems, as described below. A register fault is a 
transient corruption of data stored in one or more registers. Because one or a 
few bits in a register are corrupted, the erroneous calculation will have certain 
predictable properties (such as being a power of 2 or a sum of a few powers 

20 of 2). 

As seen in Fig. 2, a tamper proof device 200, such as a smart card, 
comprises circuity such as a processor 202 and a small amount of memory 
204. The circuity 202 performs certain arithmetic operations and the memory 
(typically several registers 206 and a small RAM 208) stores temporary values. 
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An I/O 210 is provided to receive and transmit data. An electrically erasable 
programmable read only memory (EEPROM) 212 may be provided for storing 
secret information, such as secret keys. These components 202 - 210 are 
connected by a bus 220. 
5 With low probability, one or a few of the bits of the value stored in some 

register 206 may invert (e.g., change from a logic 0 to a logic 1 or vice-versa). 
It is assumed that this event occurs with sufficiently low probability so that 
there is some likelihood of a fault occurring only once throughout a 
computation. These errors may be transient and the hardware may not be 

10 aware that the data corruption has occurred. 

Under normal operating conditions, hardware is substantially error free. 
However, when such hardware is placed under physical stress, such as being 
placed in an extreme environment such as exposing it to certain radiation, 
atypical voltage levels, or fast clock signals, errors are likely to occur. This 

15 extreme environment may not affect the circuity, but may cause certain register 
cells to spontaneously, temporarily invert. Such faults are referred to herein as 
"register faults". A security expert or cryptosystem designer may intentionally 
subject a tamper proof device 200, such as a smart card (or other cryptography 
device), to an extreme environment in order to test whether the device may be 

20 induced to generate an erroneous output. If so, the system may be cracked. 
Also, it is a well-accepted that no computing system is entirely error-free. 
Thus, even in the absence of physical stress any cryptography device is 
susceptible to generating an erroneous output on rare occasions. 

25 



14 



II. Cracking Cryptographic Signature Implementations 
That Use the Chinese Remainder Theorem 

5 One version of the present invention relies on the Chinese Remainder 

Theorem (CRT) to crack the RSA/CRT and Rabin modular square schemes. The 
Chinese Remainder Theorem is well known and described, for example, in A. 
Aho, J. Hopcroft, and J. Uilman, The Design and Analysis of Computer 
Algorithms , pp. 294-303 (Addison-Wesley 1974). The content of this 

10 reference is incorporated herein by reference. * 

a. The RSA Signature Scheme And The Chinese Remainder Theorem 
The RSA signature scheme may be implemented in a tamper proof device 
200, such as a smart card, and may be used to perform various encryption and 
decryption functions for its owner, party /. The tamper proof device typically 

15 contains in the registers 206 a secret RSA decryption key which is used to 
decrypt messages for party /. This device 200 may be used, for example, to 
prepare digital signatures for party /, to authenticate party / to another party /, 
and to decrypt incoming encrypted messages. Assume that some secret 
information (such as party i's secret key) is stored in a tamper proof device. 

20 Because the device 200 is tamper proof, it cannot be opened and its contents 
examined. Thus, it is assumed that the secret information stored in the device 
cannot be extracted by opening the device. 

For illustrative purposes, the present version of the invention will be 
described as a device for obtaining digital signatures for party /. Let N-pqbe 

25 a product of two large prime numbers. To sign a message m using the RSA 
signature scheme, the tamper proof device 200 uses the processor 202 to 

15 



compute E = rrf' (mod N) where s, is a secret exponent stored in the register 
206. The message m is assumed to be an integer in the range from 1 to N. As 
described above, the security of this system relies on the fact that factoring the 
modulus N is difficult. If the factors p,q of N are known, one can easily crack 
5 the system and sign documents without prior knowledge of the secret exponent 
s,. 

The computationaly expensive part of signing using the RSA scheme is 
the modular exponentiation of the input m, which is performed by the processor 
202. For efficiency, many implementations of the RSA scheme exponentiate 
10 signature £ into two portions £, and E 2 as follows: first £, = X s (mod p) and E 2 
— X s (mod q) are computed. Second, the Chinese Remainder Theorem is used 
to compute the RSA scheme signature E = m st (mod A/). 

Let a, b be two integers pre-computed by the processor 202 and stored 
in memory 206, which integers satisfy: 

a = l (mod p) b=0 (mod p) 

and 

a=0 (mod q) b=l (mod q) 

15 (2) 
Such integers always exists and can easily be determined by the processor 202 
given p and q. It now follows that: 

E=aE 1 +bE 2 (mod N) 

(3) 

The signature £is computed by processor 202 by forming a linear combination 
20 of £ 1f £ 2 . This exponentiation algorithm is more efficient than using the 
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processor 202 repeatedly to square modulo N because the numbers involved 

are smaller. 

b. Cracking the RSA Signature Scheme 

5 1 . Cracking the RSA Signature Scheme By 

Comparing a Correct and an Incorrect Signature 

Using the linear combination set out above, the modulus N may be 

determined by a cryptography device such as the device 100 seen in Fig. 1 A 

10 or a computer or other processor by comparing a correct signature E with an 
incorrect signature E for the same message. The inventive method is illustrated 
in Fig. 3. Let m be a plain text message and let E = m si (mod N) be the correct 
cryptographic signature of the message received by cryptographic device 100 
at the I/O 108 and stored in memory 104 or 106. Let f be a faulty 

15 cryptographic signature for the same message m, and which is also received by 
the device 100 and stored in memory 104 or 106. 

As seen in Fig. 3, party i's cryptography device 200 generates signature 
E for message m. E is transmitted to party j's cryptography device (or other 
processor) 100. Party j's cryptography device stores E in memory (step 1). 

20 Party j may be a security expert or cryptosystem designer. For clarity of 
illustration, the inventive method is described as a first cryptography device 
generating faulty computations and a second cryptography device or processor 
"cracking" the cryptosystem. It is also contemplated, however, that the 
inventive method may be performed by a single cryptography device. Party i's 

25 cryptography device generates an erroneous signature E for the same message 
m. This erroneous signature may be generated, for example, while a tamper 
proof device 200 is placed under physical stress, such as being placed in an 
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extreme environment, which is likely to cause hardware faults. £is transmitted 
to party y's cryptography device or processor. Party y's cryptography device 
100 stores E in memory (step 2). 

Recall that E and E are computed as: E = aE y + bE 2 (mod N) and £ = 
a£ n + 6£ 2 (mod N), respectively. Because hardware faults occur with low 
probability, it is reasonable to assume that a hardware fault occurs during the 
computation of only one of E u E 2 . Thus, it is assumed that a hardware fault 
occurs during the computation of but no fault occurs during the computation 
of E 2 . Thus, E 2 = E 2 . 

Party y's cryptography device now uses E and E to obtain N in the 
following manner. Observe that: 

E - E = faE 1 + bE 2 ) - (aE 1 + bE 2 ) 

(4) 

Because E 2 = E 2 , this equation becomes: 

aE^ + bE 2 - aE y - bE 2 = aE 1 - aE 1 = a (Ej-E,) 

If E r E 1 is not y ^cv i3 obkr by p, then: 

gcd (E-EM = gcd (a (E r E 1f N)) = Q 

(5) 

(step 3). Once qr is obtained, party y's cryptography device or processor 100 
may easily determine N (step 4). 

If the factors of N are randomly chosen by the tamper proof device 200, 
then it is extremely unlikely that p divides This is unlikely because E r E f 

can have at most log N factors. This limited number of factors is because the 
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lengths of E and E limit the number of times these numbers may be divided by 
a smaller quantity. 

By using one faulty and one correct value of the same RSA signature, the 
modulus used in the RSA system can be easily determined. In this attack, it 
makes no difference what type of fault occurs or how many faults occur in the 
computation of £",. Moreover, to determine the modulus N, only one correct 
and one incorrect signature of the same message needs to be received. All that 
is assumed is that the fault occurs in the computation modulo of one of the 
primes p, q only. 

2. Cracking the RSA Signature Scheme 
Using Only An Incorrect Signature 

In fact, one faulty signature of a known message m is sufficient to obtain 

N. This version of the inventive method is illustrated in Fig. 4. No correct 

signature of the same message is required. Let E = mod /V. Let f be a 

faulty signature having the same fault as above, that is E = E mod q but E m 

E mod p. Party i's cryptography device 200 generates E and transmits E to 

party y's cryptography device or processor 100. Party /s cryptography device 

or processor receives £. (step 1). It now follows that: 

gcd (M-£ e \ N) = q 

(6) 

where e, is the public exponent (or public key) used to verify the decrypted 
signature, i.e., E* f = m mod N (step 2). Once q is determined, party y's 
cryptography device 1 00 or processor may easily factor N (step 3). Thus, if the 
cryptography device 100 or processor knows message m, it may factor the 
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modulus given only one faulty signature. This is important because some RSA 
signature implementations avoid signing the same message twice by using a 
"padding" technique. 

If the padding is not random (i.e., the padding is an A?-bit number 

5 appended to the end of the message), the message m may be determined. This 
improvement shows that as long as the entire signed message is known, even 
non-random padding protected RSA/CRT systems are vulnerable to the 
hardware faults attack with only a single faulty signature. If the padding is 
random, then the message m cannot be separated from the padding and the 

10 message m is not known. This method will not work if the message is not 
known. 

c. Cracking the Rabin Signature Scheme 

The expensive part of signing using Rabin's signature scheme is the 
15 extraction of the modular square root. This, as with the RSA signature scheme, 
is usually implemented using the Chinese Remainder Theorem. A cryptography 
device such as a smart card 200, may use its processor 202 to compute: 

E =Jd~ / (mod N) 

(7) 

20 

The processor 202 first computes: 

E^y/D (mod p) and E 2 =y/D (mod q) 

(8) 
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This is done using a standard square root algorithm modulo a prime. The 
processor 202 may use the Chinese Remainder Theorem to compute signature 
E. Using the same a, b, defined above, £ is determined as: 

E=aEi+bE 2 {mo& N) 

(9) 

Because the Rabin Signature Scheme may be divided into a linear 
equation similar to the RSA signature scheme (see eq. 4), the same attacks 
described above with reference to Figs. 3 and 4 may be used to crack the 
device using the Rabin signature scheme. Under the first attack (Fig. 3), the 
device signs the same message twice, one signature, £, is obtained in normal 
conditions and is therefore the correct one. The second signature, E, is 
erroneous. The erroneous signature E may be obtained, for example, in an 
extreme physical environment and therefore is likely to be the erroneous 
signature. As described above, gcd (£-£, N) is likely to yield a factorization of 
N. Under the second attack (Fig. 4), if the cryptography device 100 or other 
processor knows document D it may factor the modulus without comparing it 
to a correct signature of the same message. 

HI- Using Register Faults To Crack Crvptosvstems 

a. Using Register Faults to Attack 

the Fiat-Shamir Authentication Scheme 

The Fiat-Shamir authentication scheme may be cracked by correctly 

guessing the value of the error caused by a register fault. Because register 

faults have known properties (they are powers of 2 or a product of powers of 
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2), the error may be easily guessed by a processor. Using the Fiat-Shamir 
authentication scheme, a security expert's or cryptosystem designer's 
cryptography device 100, computer, or other processor may compare an 
erroneous message with a correct message to obtain a random number r 
selected by party i's cryptography device, such as a tamper proof device 200 
of Fig. 2. Once r is known, the security expert's or cryptosystem designer's 
cryptography device 100 or other processor may perform calculations to 
determine party i's secret key. 

Party i's secret key, comprising a number of bits s ; ,...,s f , may be 
recovered by party y's cryptography device by using register faults. Given f 
faulty runs of the protocol, party y's cryptography device may recover the secret 
key bits s,,...,s, with probability of 1/2 using 0 (n 2 t) arithmetic operations, 
where 0 is order of magnitude. 

This inventive method is illustrated in Fig. 5. Assume party / uses a 
tamper proof device 200 on which the secret key bits are embedded in register 
206 and from which the secret key bits cannot be extracted. Party y is a 
security expert or cryptosystem designer trying to discover the secret key bits 
stored in party i's tamper proof device. To do so, party y's cryptography device 
executes the protocol below several times. The protocol is performed as 
follows. Party i's device generates r 2 mod N and transmits this value to party 
y's device. Party y's cryptography device observes the value r 2 mod N generated 
by party i's device (step 1 ). Party y's cryptography device then selects a subset 
S£ {1,.-.f} (step 2) and observes the value y = rTI /€ES s, returned to the device. 
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Assume that due to a register fault in party i's tamper proof device, one 
bit of a register holding a value r is inverted while party /'s device is waiting for 
party j to send to it subset S. In this case, party / has already received the 
correct r 2 mod N value during step 1 of the protocol. However, the y value 
5 computed by party / in step 3 is incorrect. Due to the register fault, party i's 
device outputs: 



(10) 

where E is the value added to the register as a result of the register fault (step 
10 3). This value is transmitted to party j's device. Recall that party j's 
cryptography device knows the value of n /fJ v, from step 4 of the Fiat-Shamir 
protocol. Thus, party j's cryptography device may compute: 

(r+£) 2 = (mod N) 

(1D 

wherein v g = s, 2 

15 

Because E is an inverted bit in a register, it is a binary number of low weight, 
i.e., a power of 2 or a sum of few powers of 2 (i.e., E=2 k for some 1 <* k ^ 
n). Thus, party J's cryptography device can easily determine the value of lz by 
selecting all possible values of E until the correct value is determined (step 4). 
20 If E is correctly guessed, then party j's cryptography device may recover r 
because: 
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(r+£) 2 -r 2 =2£r+£ 2 (mod N) 

(12) 

(step 5). This linear equation for r can be easily solved. Party y's ability to 
discover the secret random r is the main observation which permits the system 
to be cracked. 

Using the values of r and E, party y's cryptography device may compute: 



Uus s i = 7& (mod 



(13) 

Thus, party / may compute the value n /eS s, by guessing the fault value E and 
using the formula: 

— Z -r 2 +£ 2 



(14) 

(step 6). 

Party / may now verify that fault value E was correctly guessed. Let T 
be the guessed value of l"1 /eS s, obtained from equation (14) above. To verify that 
£ is correct, party /"s cryptography device checks that T 2 = l\ s Vj. There is a 
high probability that only one low-weight value £ exists where this relationship 
is satisfied. Therefore, if the relationship is satisfied, party / is very likely to 
have obtained the correct value of n feS s,. 



24 



In the unlikely event of two values E, E' satisfying the relation, party / 
may still crack the cryptosystem. Observe that the relation {y') 2 = (r') 2 t 1 
implies that T 2 = n, vs s,. 

If there exists two low weight values E, E' generating two values T, V , wherein 
T T' satisfying the relationship, then T 2 = T 2 (mod N). If T ^ T (mod N) 
then party j's cryptography device already may factor N. 

Assume T — -T (mod /V). Because one of T or T equals n /£S s,. (i.e., one 
of E, E' is the correct fault value), it follows that party / now knows that n, v5 s, 
up to the sign. This is sufficient to crack the cryptosystem. Because £ is a low 
weight binary value, party j's cryptography device may substitute all possible 
values for E until the correct value is determined. 

Once party / has a method for determining n /fS s, for various sets of S of 
party j's cryptography device's choosing, party /may easily find party i's secret 
key bits s v ...,s t . A simple approach is for party j's cryptography device to 
construct n /fS s, for singleton sets, i.e., sets S containing a single element. If S 
= {k}, then n /fS s, = s* and therefore s* may be found for each k. If party /*s 
tamper proof device 200 refuses to accept a singleton set, party /may still find 
party i's secret keys in the following manner. Party y's cryptography device 
may select sets at random such that resulting characteristic vectors are linearly 
independent. A set is represented as follows: S £(1 r ...,f) by its characteristic 
vector U G (0,1 ) f . That is, U t = 1 if /GS and U t = 0 otherwise. Party /picks 
sets S 1 ,...,S f such that a corresponding set of characteristic vectors U U t 
form a t x t full rank matrix over Z 2 , where Z 2 is a ring of integers, modulo 2 
(step 7). Party j's cryptography device then performs the Fiat-Shamir 
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authentication scheme above to construct the values T,= n, e5 s, for each of the 
sets S u ... f S t (step 8). 

For example, party j may determine s 1# by constructing elements a u ...,a t 
€ {0, 1} such that: 

a 1 U x + . . . + a t U t = (1,0,0,...,0) (mod 2) 

(15) 

These elements may be efficiently constructed because the vectors U 1t ...,U t axe 
linearly independent over Z 2 . When all the computations are completed over the 
integers, the following is obtained: 

a 1 U 1 + . . . + a t U t = (2b 1 + l, 2b 2 , 2b 3 , . . . , 2b t ) 

(16) 

for some known integers b u ...,b t . Party j's cryptography device may now 
compute St using the formula: 




(mod N) 



(17) 

(step 9). Recall that the values v t — s, 2 (mod N) are publicly available. The 
values s 2 ,... / s k may be obtained using the same procedure. 

The procedure above made use of t faults and took O (n 2 t) arithmetic 
operations. The faults occur while party /'s device is waiting for a challenge 
from the outside world. Consequently, the security expert knows when the 
register faults are induced. 
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The Fiat-Shamir scheme may be modified. Recall that in the Fiat-Shamir 
protocol set out above, in step 2, party / sends r 2 (mod N) to party j; and in step 
4, party j verifies party /'s identity by checking that y 2 —r 2 U i€S v t (mod /V). If 
this protocol is modified to use higher powers instead of just squaring the 
5 values, the inventive method illustrated in Fig. 5 may still be used to crack the 
modified scheme. 

Assume that the modified scheme uses a publicly known exponent e 
instead of squaring. As before, party /'s secret key is a set of invertible 
elements (bits) s 1f ...,s t (mod /V). Party /'s public key is a set of bits v y = 
10 v t = s/ lmod/V). Party /authenticates itself to party/ using the following 

protocol: 

1 . Party i's cryptography device, computer, or other processor 
selects a random r, generates /* mod /Vand transmits this value to 
party / via an I/O. 

15 2. Party / s cryptography device or other processor selects a random 

subset S^ (1,...,f), and sends the subset to party i's device via an 
I/O. 

3. Party i's cryptography device computes /*n /6S s,. 

4. Party j's cryptography device verifies party i's identity by checking 
20 that y* = a* (mod A/). 

When e = 2, this protocol is the same as the original Fiat-Shamir protocol 
described above. Using the methods described above, party /may obtain the 
value L 1 =i* (mod N) and L 2 = (r + £) e mod N. As above, assume that party /'s 
cryptography device has correctly guessed the value of £. Given these two 
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values, party y's device may recover r by observing that r is a common root of 
the two polynomials: x e = i_, (mod N) and (x + E) e = L 2 (mod /V). 
Furthermore, r is likely to be the only common root of the two polynomials. 
Consequently, when the exponent e is small, e.g., e<n 2 , party y may recover 

5 r by computing the greatest common divisor of the two polynomials. Once 
party / has a method for computing r he can recover the secret key bits s, , . . . ,s t 
as discussed above. 

b. Using Register Faults to Crack Schnorr's Authentication Scheme 
Using register faults, secret integer s, of the Schnorr authentication 

10 scheme may be extracted from party i's cryptography device. When p is an 77- 
bit prime number, the attack requires n log n faulted values and O (n 2 ) 
arithmetic operations. This is done as follows: 

Let p be an /7-bit prime number. Given n log n faulty runs of the protocol, 
secret key s, may be recovered with probability at least % using 0{n 3 ) arithmetic 

15 operations. 

Party / wishes to extract the secret information stored in the device. 
Party y's cryptography device or other processor selects a random challenge t. 
The same challenge will be used in all invocations of the protocol. Because 
party i's device cannot possibly store all challenges given to it thus far, it 
20 cannot possibly know that party j is always providing the same challenge f. 
The attack will enable party /to determine the value f-s, mod p from which the 
secret value s, can be easily found . For simplicity, set x = fs, mod p and assume 
that g* mod p is known to party y's device. 
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Suppose that due to a register fault in party /'s device, one of the bits of 
the register 206 holding the value r is flipped while the device is waiting for 
party y's device to send it the challenge f. More precisely, when the third phase 
of the protocol is executed, the party i's device finds ? = r+2' in the register 
5 holding r. Consequently, party i's device will output 0 = ? + x mod p. Party y's 
device may then determine the value of / (the fault position) by trying all 
possible values / = 0,...,A7 until finding an / satisfying: 

gQ='g2i g*gX (mod p) 

(18) 

Assuming a single bit flip, there is exactly one such /. The above identity 
proves to party y that ? = /-+2' showing that the /th bit of r is 1 . 

This information permits party y to recover x in time 0{n 2 ). Assuming 
that the register faults occur at uniformly and independently chosen locations 
in the register r, s, may be recovered in time O (n 2 ). It follows that with 
probability at least % that a fault will occur in every bit position of the register 
r. In other words, for every 1 < / < n there exists an f^,...,/^* 1 such that the 
/th bit of r M is known to party / (the first bit is the LSB). 

To recover s,, party J's cryptography device first guesses the log 8n bit 
strings until the correct one is found. Let X be the integer that matches x on 
the most significant log 8n bits and is zero on all other bits. Party y's device 
correctly guesses the value of X. Party y's device may recover the rest of s, 
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starting with the LSB. Inductively, suppose party j's device has already 
determined bits s / , 1 ,...,s 2/ s 1 of x. (Initially / = 1). Let: 

(19) 

To determine bit s„, party /'s device uses ^ of which it knows the /th bit and 
the value of x + /-"\ Let b be the /th bit of r*'\ Then 

x ± =b © i 7 tA bi t (x+r (1) -Y-X mod p-1) 

(20) 

assuming no wrap around, i.e., 0<_ x + r ii) -Y-X<p-1 (the remainder cannot be 
greater than the number being divided). Because x-X<p/8n, wrap around may 
occur only if r*' 1 >(1-1/8A7)p. Since the as are independently and uniformly 
chosen in the range [Q,p) f the probability that this does not happen in all n 
iterations of the method is more than %. 

Once X is correctly determined, the method runs in linear time and 
outputs x with probability at least %. (The reason for the V* is that all bits of 
r should be "covered" by faults and all /> should not be too large. Both events 
are satisfied with probability at least %.) Of course, once a candidate x is 
found, it can be easily verified using the public data. There are 0{n) possible 
values for X and thus, the running time of this step is 0{n 2 ) . 

This attack also works in the case of multiple bit flips of the register r. 
As long as the number of bit flips is constant, their exact location can be found 
and used by party/. Note that the faults occur while party i's device is waiting 
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for a challenge from the outside world. Consequently, party / knows exactly 

at what time the faults should be induced. 

c. Using Register Faults to Crack RSA Implementations 
Register faults may be used to break other RSA implementations that are 
5 not based on the Chinese Remainder Theorem. Let N be an /7-bit RSA 

composite and s,. be a secret exponent. The exponentiation function x x*' 

mod N may be computed using either of the following conventional methods 

600, 650 illustrated in Figs. 6A and 6B: 

• Method I (Fig. 6A) 

10 init y x; z 1 (step 602). 

main For k = 1,...,/? (steps 604, 610). 

if kth bit of s is 1 (step 606) then z «- zy (mod N) (step 

608). 

y *- y 2 (mod N) (step 610). 
15 Output z (step 612). 

• Method II (Fig. 6B) 
init z *- x (step 652). 

main For k = /7-1 down to 1 (steps 654, 662). 

if kth bit of s is 1 (step 656) then z <- z 2 x (mod N) (step 

20 658) 

otherwise, z <- z 2 (mod N) (step 660). 
Output z (step 664). 
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For both methods 600, 650, given several faulty values by a 
cryptography device, a security expert's or cryptosystem designer's 
cryptography device, computer, or processor may obtain the secret exponent 
in polynomial time. In this version of the invention, faulty values are obtained 
5 in the presence of register faults. This attack uses erroneous signatures of 
randomly chosen messages; the attacker need not obtain the correct signature 
of any of the messages. Furthermore, an attacker's cryptography device or 
processor need not obtain multiple signatures of the same message. 

With probability of at least 1 12, the secret exponent s, can be extracted 
10 from a device (such as smart card 200) implementing the first exponentiation 
algorithm by collecting (nlm) log n faults and 0 (2 m -n 3 ) RSA encryptions, for any 
1 _< m < n. For a small public exponent e, this takes O (2 m -/? 4 ) time. For a 
random e, it takes O (2 m -n 5 ) time. 

The following faults are used: let m be a message to be signed and m 
15 € Z N , where Z N is a ring of integers modulo N. Suppose that a register fault 
occurs at a single random point during the computation of nf* mod N. That is, 
at a random point in the computation one of the bits stored in a register (such 
as register 206) flips. The resulting erroneous signature is E. An ensemble of 
such erroneous signatures enables one to recover the secret exponent s,. Even 
20 if other types of faulty signatures are added to the ensemble, they do not 
confuse the inventive method. 

Let / = (nlm) log n and let m u ...,m L e Z N be a set of random messages. 
Set £j = mod N to be the correct signature of a message m r Let E % be an 
erroneous signature of the message m g . A register fault occurs at exactly one 
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point during the computation of E t . Let k t be the value of k (recall k in the 
counter in Method I, 600 above) at the point at which the fault occurs. Thus, 
for each faulty signature £, there is a corresponding k t indicating the time at 
which the fault occurs. The messages may be sorted by a processor (i.e., 202 
5 of Fig. 2) so the *\<^k x <_k 2 <L-~<. k f < n. The time at which the faults occur 
is chosen uniformly (among the n iterations) and independently at random. It 
follows that given / such faults, with the probability at least half /r j+1 - k x < for 
all / = 1 ,...,A7. Since the location of the faults are unknown, th^ values k x are 
also unknown. 

10 Let s, = s„, s^,...^ be the bits of the secret exponent s,- where s„ is the 

MSB and s y is the LSB. Each of the bits in s,- is recovered one-by-one. A block 
of these bits at a time may be recovered starting with the MSBs. Assume bits 
s n , s n . lf s* ; for some / are known. Initially / = / 4- 1 indicating that no bits 
are known and it is desired to determine the next bit. Bits s kn , s ki _ 2 , - - .s* A1 may 

15 be recovered in the following manner. All possible bit vectors are tried by a 
cryptography device or computer until the correct one is found. Note that the 
location within s, of each bit s„, s„.,,... is unknown. Because even the length 
of the block is unknown, all possible lengths are tried. The inventive method 
for determining the next bit may be performed by a cryptography device or 

20 computer processor using the method 700 illustrated in Fig. 7 and set out 
below. 

1. Initialize r = 0 (step 702); 

2. For all lengths r = 0, 1, 2, 3, ...(step 704) do: 

3. For all candidate r-bit vectors U kr s y U kri ...U ki . r (step 706) do: 
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4. Set: 



# 




(21) 



In other words, w matches the bits of s and U at all known bit positions 



and is zero everywhere else (step 708). 
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Test if the current candidate bit vector is correct by checking if 



one of the erroneous signatures Ej, / = 1 , . . . ,/ satisfies (step 710): 



3ee{0, . . . ,n] s.t. (&j±2 e m^) ei =mj (mod N) 



(22) 



wherein e is the public exponent. (The ± means that the condition is satisfied 
if it holds with either a plus or a minus.) This step means that all combinations 
10 of bits using this erroneous bit are tested until the proper location is found. The 
inverse of the erroneous bit is the correct bit in that location. 

6. If a signature satisfying the above condition is found (step 712), 
the cryptography device outputs u kiA u kh2 ..M kiA and stops (step 
714) for that r. At this point it is determined that k h1 ~k r r and s* M 

15 

s */-2'--' s itAi ~ u kM u ki-2> ~ - ' u ki-r 'f 3 signature satisfying the condition 



Steps 706-716 are repeated for each r between 0 and n (steps 718, 
704). The condition at step 710 is satisfied by the correct candidate u kl . y9 u kh 
2 , ...,u*av Recall that £ M is obtained from a fault at the * M st iteration. At the 
20 * M st iteration, the value of z was changed to 2 *- z ± 2 e for some public 



is not found, another candidate vector is tried (step 716). 



exponent e. Notice that at this point =z/lf M . From that point on no fault 
occurred and therefore the signature £ M satisfies: 

E i _ 1 = zMw i _ 1 =S i _ 1 ±2 e Mw i , 1 (mod AO 

(23) 

When in step 710 the signature £ A1 is correct, it properly verifies when raised 
to the public exponent e. Consequently, when the correct candidate is tested, 
the faulty signature £ M guarantees that it is accepted. There is a high 
probability that a wrong candidate will not pass the test. 

Note that not all of the bits need to be determined in this manner. For 
example, if 450 bits of a 51 2 bit key are determined through register faults, the 
unknown 62 bits may be tested by trying different combinations of these 
unknown bits. Each combination is used as the secret key s,- and a received 
message is attempted to be decrypted. If the message is properly decrypted, 
the combination used is correct. 

If the method obtains both the faulty and correct signature of each 
message m it the running time is improved to 0(2 m n 2 ) arithmetic operations 
modulo N which takes time 6 (2 m n 2 ). This follows since the error location E can 
be easily found using a lookup table of powers of 2 mod N. 

Using these algorithms, given n log n faulted values a cryptography 
device, computer, or other processor may recover the secret exponent in 
polynomial time. That is, for a message m G Z N , given n log n faulted values 
output by a device computing the function m s/ mod N, the secret exponent s,- 
may be recovered in polynomial time in n. A cryptography device or computer 
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may employ either one of the exponentiation methods above. Note that faulted 
values for this version of the present invention are register faults. 

The method illustrated in Fig. 7 may also be used to crack EIGamal's 
public key cryptosystem. In EIGamal's public key cryptosystem, party / selects 
5 a secret exponent s, and publishes the public key y = g si mod p, where p is an 
/7-bit prime number. To send a message m to party /, party j's device selects 
a random number b and sends to party / two values E y = m mod p and E 2 = 
g* mod p. Party / decrypts the message by computing E y IE^ mod p; 
that is: 

/7? _ g sb m (mod p) 2 
g sh mod p mod p 

10 

(24) 

Assume party / uses a smart card 200 for decryption. The smart card 
contains in a register 206 the secret exponent s, and will output the plain text 
message. The attack on the RSA implementation discussed above permits the 
15 extraction of the secret exponent s, from the smart card. 



IV. Providing Cryptosystems and Cryptography Devices 
Which Resist Tampering Due to Hardware Faults 

20 

In addition to the attacks described above, it is believed that hardware 
fault based attacks may be performed on the following cryptosystems: 

1. DES; 

2. IDEA; 
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3. RC5; 

4. FEAL; and 

5. Skipjack. 

These are secret (or symmetric) key systems, not public key systems. 
Nevertheless, hardware based faults may permit these systems to be cracked. 

Regardless of whether a cryptosystem is a public or private key system, 
vulnerability to a fault-based attack results in a cryptosystem which has 
questionable security, regardless of whether the fault is generated by machine 
imperfection, software bugs, intentionally induced faults, or faults planted at 
the chip level during design and/or manufacturing. 

The Secure Electronic Transmission (SET) standard for on-line Internet 
bank card transactions address faulty computations. The standard provides 
that if a received message fails an authentication test, an error message is 
returned. Thus, erroneous security data is not expected, but acknowledged. 
This acknowledgement is available to eavesdroppers. Ideally, an assurance of 
zero faulty computation is the best protection. However, as discussed above, 
it is well-accepted that no computing system is entirely error-free. As a result, 
verifying cryptographic computations before outputting results is preferred. 

A simple way to avoid cracking due to hardware faults is to check the 
output of a computation before releasing it. This may require recomputing 
functions, which may sometimes result in an expensive or time consuming 
process which may be unacceptable. 

Authentication schemes may be attacked based on register faults in the 
internal memory of a cryptography device. Protection against such an attack 
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• # 

may include (1) detecting the fault; and (2) correcting the fault. Because a 
register fault changes the stored data, the device may have computed the 
(temporarily incorrect) data correctly. This recomputing the data may not reveal 
an error. In multi-round authentication schemes such as Fiat-Shamir, for 
example, error detection/correction bits, such as CRC bits, may be added to 
protect the validity of the stored data. 

Signature schemes may be attacked based on a fault during the 
computation of the signature. ; One way to overcome this attack is to verify the 
signature before outputting it. The device generating the signature may, for 
example, apply the signature verification algorithm on the signature before 
transmission. For example, this may be done in RSA signatures by applying the 
public key to the signature. A second way to overcome this attack is to pad 
the signed message with random bits. This may prevent an adversary from 
obtaining two copies of an identical message. 

An alternative approach to protecting RSA computations which do not 
use the Chinese Remainder Theorem is the use of blinding. To compute X s mod 
N, the cryptography device first picks a random number r and computes y r = ^ e 
mod N, where e is the public exponent: The device computes (xyYIr mod N. 
The result is X s mod /V. 

These attacks may be used in the design and testing of existing and 
future cryptosystems and cryptography devices. Although future cryptography 
devices may have the same overall structure as seen in Figs. 1 A and 2, such 
devices should preferably be modified to be impervious to hardware-fault based 
attacks. One way to design such a device may be to implement one of the 
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software solutions described above. Another way to design such a device is 
protect the device's internal storage from extreme environments by providing 
shielding or other hardware solutions. 

A cryptography device may be verified to be impervious to a hardware 
5 fault-based attack by subjecting the device to one or more of the attacks 
described above. The cryptography device may be verified to be secure against 
these attacks by verifying that an adversary cannot determine secret 
information stored in the cryptography device. 



10 V. Conclusion 

Methods for cracking public key cryptosystems are described wherein an 
erroneous calculation is used to infer secret information. The inventive method 
is a creative use of a cryptosystem device's miscalculations. Because it is 
believed that all computers are prone to error, even cryptosystem servers stored 

15 in a secure environment are not protected from the inventive method of testing 
public key cryptosystems. 

The inventive methods are particularly useful to security experts and 
cryptosystem designers. Existing and proposed cryptosystems . erff" 
cryptography devices should be impervious to the attacks described. If not, the 

20 system or device should be modified or discarded. Smart cards, for example, 
should now not only conceal their inner circuitry (to avoid revealing its secret 
key), but also be fault resistant and/or check computed values before 
transmission, to avoid revealing secret information. 
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The above described embodiments of the invention are intended to be 
illustrative only. Numerous alternative embodiments may be devised by those 
skilled in the art without departing from the spirit and scope of the following 
claims. 
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